Thsi is a duplicate post. As this i srelated to security I posted it here too. Sorry for the inconvinenece.

Hi All,

Recently some one deleted some rows from a table. I was asked to find out who did it. Since the log has not been backed up since the time the DB was created I took the help of undocumented Table valued function ::fn_dblog() which gives me the contents of the active portion of the log. I filtered on AlocUnitName and operation column.

Allocunitname being the table name and OPERATION being the 'LOP_DELETE_ROWS'.I was looking fior the column TRANSACTION SID to find out the SID of the user that started the transaction that deleted the rows. I did get it.

But the problem is the value of the SID is 0x01 which is the dbo user. It is evident that a server level login with sysadmin privilages did the delets. Is there any way I can find out the server login mapped to the dbo user?